272296 – nullderef in FloatingObjects::moveAllToFloatInfoMap

RESOLVED CONFIGURATION CHANGED 272296

nullderef in FloatingObjects::moveAllToFloatInfoMap

https://bugs.webkit.org/show_bug.cgi?id=272296

Summary nullderef in FloatingObjects::moveAllToFloatInfoMap

bin7o8v

Reported 2024-04-07 00:01:15 PDT

Created attachment 470799 [details] PoC Version: - OS: Ubuntu Desktop 22.04 - WebKit: WebKitGTK 2.43.4 How to reproduce: 1. Compile WebKit from source 2. Serve poc.html on 127.0.0.1:8080 3. Launch MiniBrowser with url 127.0.0.1:8080/poc.html Crash log: ==1949221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fb9750c6c0d bp 0x7fff8d968e10 sp 0x7fff8d968da0 T0) ==1949221==The signal is caused by a READ memory access. ==1949221==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fb9750c6c0d in WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl>>::operator bool() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/RefPtr.h:77:47 #1 0x7fb9750c6c0d in WTF::WeakPtrFactory<WebCore::CachedResourceClient, WTF::SingleThreadWeakPtrImpl>::initializeIfNeeded(WebCore::CachedResourceClient const&) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakPtr.h:200:13 #2 0x7fb9782da52e in WTF::SingleThreadWeakPtrImpl& WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>::implForObject<WebCore::RenderBox>(WebCore::RenderBox const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakRef.h:121:33 #3 0x7fb9782da52e in WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>::WeakRef<void>(WebCore::RenderBox&, WTF::EnableWeakPtrThreadingAssertions) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakRef.h:46:18 #4 0x7fb9782da52e in WebCore::FloatingObjects::moveAllToFloatInfoMap(WTF::HashMap<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>, std::unique_ptr<WebCore::FloatingObject, std::default_delete<WebCore::FloatingObject>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::unique_ptr<WebCore::FloatingObject, std::default_delete<WebCore::FloatingObject>>>, WTF::HashTableTraits>&) /webkitgtk-2.43.4/Source/WebCore/rendering/FloatingObjects.cpp:303:17 #5 0x7fb978440857 in WebCore::RenderBlockFlow::rebuildFloatingObjectSetFromIntrudingFloats() /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:227:32 #6 0x7fb97844a21a in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:502:5 #7 0x7fb9783f964f in WebCore::RenderBlock::layout() /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlock.cpp:582:5 #8 0x7fb9784538c7 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:939:9 #9 0x7fb97844ef0d in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:834:9 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/webkitgtk-2.43.4/build-asan/lib/libwebkit2gtk-4.0.so.37+0x58c9c0d) ==1949221==ABORTING

Attachments
PoC (703 bytes, text/html) 2024-04-07 00:01 PDT, bin7o8v	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-04-08 11:20:10 PDT

<rdar://problem/126086502>

John Wilander

Comment 2 2024-07-22 13:07:09 PDT

Cc'ing Michael since this was reported using the GTK port.

Michael Catanzaro

Comment 3 2024-07-22 15:17:29 PDT

I can reproduce by simply clicking on attachment #470799 [details]. I doubt it's platform-specific. The problem seems to be that FloatingObject::renderer will crash if m_renderer is nullptr, and m_renderer is a weak pointer so it's expected to be possibly nullptr. Ideally somebody familiar with rendering would look closer.

zalan

Comment 4 2024-07-22 19:54:27 PDT

I can't reproduce this on my local build. At certain viewport width, MiniBrowser hangs and eventually crashes with OOM (we keep adding new inline lines to avoid floats until wtf::vector's expandCapacity gives up)

Ryosuke Niwa

Comment 5 2024-08-02 13:18:39 PDT

I can't reproduce the crash on a local build of WebKit either.

zalan

Comment 6 2024-08-02 13:52:15 PDT

This function has been removed from the codebase.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution CONFIGURATION CHANGED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Linux

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2024-04-07 00:01 PDT

Modified

2024-08-02 13:52 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks